diff options
Diffstat (limited to 'crypto/heimdal/kcm/kcm.8')
-rw-r--r-- | crypto/heimdal/kcm/kcm.8 | 224 |
1 files changed, 224 insertions, 0 deletions
diff --git a/crypto/heimdal/kcm/kcm.8 b/crypto/heimdal/kcm/kcm.8 new file mode 100644 index 0000000..4a72eb3 --- /dev/null +++ b/crypto/heimdal/kcm/kcm.8 @@ -0,0 +1,224 @@ +.\" Copyright (c) 2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: kcm.8 15497 2005-06-20 13:32:44Z lha $ +.\" +.Dd May 29, 2005 +.Dt KCM 8 +.Os Heimdal +.Sh NAME +.Nm kcm +.Nd +is a process based credential cache for Kerberos tickets. +.Sh SYNOPSIS +.Nm +.Op Fl -cache-name= Ns Ar cachename +.Oo Fl c Ar file \*(Ba Xo +.Fl -config-file= Ns Ar file +.Xc +.Oc +.Oo Fl g Ar group \*(Ba Xo +.Fl -group= Ns Ar group +.Xc +.Oc +.Op Fl -max-request= Ns Ar size +.Op Fl -disallow-getting-krbtgt +.Op Fl -detach +.Op Fl h | Fl -help +.Oo Fl k Ar principal \*(Ba Xo +.Fl -system-principal= Ns Ar principal +.Xc +.Oc +.Oo Fl l Ar time \*(Ba Xo +.Fl -lifetime= Ns Ar time +.Xc +.Oc +.Oo Fl m Ar mode \*(Ba Xo +.Fl -mode= Ns Ar mode +.Xc +.Oc +.Op Fl n | Fl -no-name-constraints +.Oo Fl r Ar time \*(Ba Xo +.Fl -renewable-life= Ns Ar time +.Xc +.Oc +.Oo Fl s Ar path \*(Ba Xo +.Fl -socket-path= Ns Ar path +.Xc +.Oc +.Oo Xo +.Fl -door-path= Ns Ar path +.Xc +.Oc +.Oo Fl S Ar principal \*(Ba Xo +.Fl -server= Ns Ar principal +.Xc +.Oc +.Oo Fl t Ar keytab \*(Ba Xo +.Fl -keytab= Ns Ar keytab +.Xc +.Oc +.Oo Fl u Ar user \*(Ba Xo +.Fl -user= Ns Ar user +.Xc +.Oc +.Op Fl v | Fl -version +.Sh DESCRIPTION +.Nm +is a process based credential cache. +To use it, set the +.Ev KRB5CCNAME +enviroment variable to +.Ql KCM: Ns Ar uid +or add the stanza +.Bd -literal + +[libdefaults] + default_cc_name = KCM:%{uid} + +.Ed +to the +.Pa /etc/krb5.conf +configuration file and make sure +.Nm kcm +is started in the system startup files. +.Pp +The +.Nm +daemon can hold the credentials for all users in the system. Access +control is done with Unix-like permissions. The daemon checks the +access on all operations based on the uid and gid of the user. The +tickets are renewed as long as is permitted by the KDC's policy. +.Pp +The +.Nm +daemon can also keep a SYSTEM credential that server processes can +use to access services. One example of usage might be an nss_ldap +module that quickly needs to get credentials and doesn't want to renew +the ticket itself. +.Pp +Supported options: +.Bl -tag -width Ds +.It Xo +.Fl -cache-name= Ns Ar cachename +.Xc +system cache name +.It Xo +.Fl c Ar file , +.Fl -config-file= Ns Ar file +.Xc +location of config file +.It Xo +.Fl g Ar group , +.Fl -group= Ns Ar group +.Xc +system cache group +.It Xo +.Fl -max-request= Ns Ar size +.Xc +max size for a kcm-request +.It Xo +.Fl -disallow-getting-krbtgt +.Xc +disallow extracting any krbtgt from the +.Nm kcm +daemon. +.It Xo +.Fl -detach +.Xc +detach from console +.It Xo +.Fl h , +.Fl -help +.Xc +.It Xo +.Fl k Ar principal , +.Fl -system-principal= Ns Ar principal +.Xc +system principal name +.It Xo +.Fl l Ar time , +.Fl -lifetime= Ns Ar time +.Xc +lifetime of system tickets +.It Xo +.Fl m Ar mode , +.Fl -mode= Ns Ar mode +.Xc +octal mode of system cache +.It Xo +.Fl n , +.Fl -no-name-constraints +.Xc +disable credentials cache name constraints +.It Xo +.Fl r Ar time , +.Fl -renewable-life= Ns Ar time +.Xc +renewable lifetime of system tickets +.It Xo +.Fl s Ar path , +.Fl -socket-path= Ns Ar path +.Xc +path to kcm domain socket +.It Xo +.Fl -door-path= Ns Ar path +.Xc +path to kcm door socket +.It Xo +.Fl S Ar principal , +.Fl -server= Ns Ar principal +.Xc +server to get system ticket for +.It Xo +.Fl t Ar keytab , +.Fl -keytab= Ns Ar keytab +.Xc +system keytab name +.It Xo +.Fl u Ar user , +.Fl -user= Ns Ar user +.Xc +system cache owner +.It Xo +.Fl v , +.Fl -version +.Xc +.El +.\".Sh ENVIRONMENT +.\".Sh FILES +.\".Sh EXAMPLES +.\".Sh DIAGNOSTICS +.\".Sh SEE ALSO +.\".Sh STANDARDS +.\".Sh HISTORY +.\".Sh AUTHORS +.\".Sh BUGS |